The Play ransomware group has introduced a Linux variant of its malware that specifically targets VMWare ESXi environments, according to recent findings from Trend Micro.
First detected in June 2022, the Play ransomware has gained notoriety for its sophisticated double-extortion tactics, custom-built tools and significant impact on organizations, especially in Latin America.
Expansion to ESXi Environments
According to an advisory published by Trend Micro last week, this is the first recorded instance of Play ransomware focusing on ESXi environments, suggesting an expansion of its attack strategies across the Linux platform. This move potentially increases the victim pool and could lead to more successful ransom negotiations.
VMWare ESXi environments are crucial for businesses as they host multiple virtual machines (VMs) running essential applications and data. Compromising these systems can severely disrupt operations and even compromise backups, making recovery efforts more difficult.
Infection Chain and Tools Used
The research highlights that from January to July 2024, the US has seen the highest number of Play ransomware victims. The manufacturing and professional services sectors have been the most affected. A significant concern is the ransomware’s ability to evade security detections, with the Linux variant showing zero detections in VirusTotal.
The infection chain of this ransomware variant includes various tools such as PsExec, NetScan, WinSCP, WinRAR and the Coroxy backdoor, which are hosted on the same IP address previously associated with Play ransomware attacks.
The sample analyzed by TrendMicro runs ESXi-related commands to confirm it is operating within an ESXi environment before proceeding with its malicious routines. If these commands are missing, the ransomware terminates itself, avoiding detection.
Read more on Play Ransomware: US and Australia Warn of Play Ransomware Threat
The Play ransomware executes shell script commands to scan and power off all VMs in the environment, then encrypts VM files, including critical data and appends the extension “.PLAY” to affected files. A ransom note is then displayed, both in the ESXi client login portal and in the root directory.
Connection to Prolific Puma
Additionally, the study reveals a connection between the Play ransomware group and another threat actor known as Prolific Puma. Prolific Puma is notorious for generating domains using random algorithms and offering link-shortening services to cybercriminals to evade detection.
ESXi environments, being high-value targets, require robust security measures to mitigate ransomware attacks.
Recommended practices include regular patching and updates, virtual patching, addressing misconfigurations, implementing strong access controls, network segmentation, minimizing attack surfaces, maintaining offline backups, and deploying security monitoring and incident response solutions.